summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* | | iptables: add noreturn attribute to exit_tryhelp()Dmitry V. Levin2010-05-142-2/+2
| | | | | | | | | | | | | | | | | | | | | Found by gcc -Wmissing-noreturn. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | extensions: REDIRECT: fix --to-ports parserDmitry V. Levin2010-05-141-22/+18
|/ / | | | | | | | | | | | | | | | | | | | | | | Rewrite port range validator to use xtables_strtoui() and xtables_param_act(). Original check failed to recognize several types of port range errors, including: "-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc. Also, original parser erroneously denied using port 0, which is now allowed. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | iptables: optionally disable largefile supportKarl Hiramoto2010-05-101-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Many toolchains for embedded systems don't have largefile support: usr/include/features.h:383:4: error: #error It appears you have defined _FILE_OFFSET_BITS=64. Unfortunately, uClibc was built without large file support enabled. In file included from /build_armeb/staging_dir/usr/include/stdio.h:72, from libiptc/libip4tc.c:18: /build_armeb/staging_dir/usr/include/bits/uClibc_stdio.h:72:2: error: #error Sorry... uClibc was built without large file support! In file included from libiptc/libip4tc.c:18: /build_armeb/staging_dir/usr/include/stdio.h:83: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fpos_t' In file included from libiptc/libip4tc.c:18: /build_armeb/staging_dir/usr/include/stdio.h:709: error: expected declaration specifiers or '...' before 'fpos_t' /build_armeb/staging_dir/usr/include/stdio.h:711: error: expected ';', ',' or ')' before '*' token Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxt_conntrack: document --ctstate UNTRACKEDSimon Lodal2010-05-102-0/+7
| | | | | | | | | | Signed-off-by: Simon Lodal <simonl@parknet.dk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | CT: fix --ctevents parsingPablo Neira Ayuso2010-05-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the following problem: # iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured iptables v1.4.7: Unknown event type "assured" Try `iptables -h' or 'iptables --help' for more information. However, `assured' is one of the supported arguments for --ctevents. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iprange: fix xt_iprange v0 parsingVincent Bernat2010-04-211-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | iprange_parse() was incomplete and did not include parsed ranges into ipt_iprange_info structure resulting in always adding range 0.0.0.0-0.0.0.0 in the kernel. Moreover, when using --dst-range, error messages may display --src-range instead. Fix this too. Signed-off-by: Vincent Bernat <bernat@luffy.cx> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxt_CT: print conntrack zone in ->print/->savePatrick McHardy2010-04-201-0/+4
|/ | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_osf: import nfnl_osf programJan Engelhardt2010-04-067-3/+1191
| | | | | | | | xt_osf is pretty useless without the actual fingerprint loader. Import nfnl_osf-2009-06-07 and make it a part of the iptables distribution. Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: add manpage for libxt_osfJan Engelhardt2010-04-062-2/+47
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_recent: add a missing space in outputJan Engelhardt2010-04-061-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: remove claim that TCPMSS is limited to mangleJan Engelhardt2010-04-061-4/+1
| | | | | | | There was no real restriction, and in fact, the kernel module never had such a limitation in the last years. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: libxt_MARK: no longer restricted to mangle tableJan Engelhardt2010-04-061-3/+4
| | | | | | | | MARK used to be limited to the mangle table, but there was no real restriction. References: http://marc.info/?l=netfilter-devel&m=126806510332668&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: correctly check for too-long chain/target/match namesJan Engelhardt2010-03-165-4/+21
| | | | | | | | | * iptables-restore was not checking for chain name length * iptables was not checking for match name length * target length was checked against 32, not 29. References: http://bugzilla.netfilter.org/show_bug.cgi?id=641 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_CT: add a manpageJan Engelhardt2010-03-112-1/+26
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_comment: avoid use of IPv4-specific examplesJan Engelhardt2010-03-111-1/+1
| | | | | | | | | Since libxt_comment.man is included in both iptables.8 and ip6tables.8, we should probably try to create examples that do not rely on either address family. References: http://bugs.debian.org/572628 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add CT extensionPatrick McHardy2010-03-083-0/+226
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables 1.4.7v1.4.7Patrick McHardy2010-03-012-3/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* libip4tc: Add static qualifier to dump_entry()Dmitry V. Levin2010-02-181-2/+2
| | | | | | | | | Change dump_entry() signature defined in libip4tc.c to match prototype declared in libiptc.c and another static dump_entry() function defined in libip6tc.c. This function is not a part of the public libiptc API. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Lift restrictions on interface namesJan Engelhardt2010-02-091-6/+5
| | | | | | | The kernel has few restrictions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* includes: header updatesJan Engelhardt2010-02-0171-657/+420
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* policy: fix error message showing wrong optionJan Engelhardt2010-01-311-1/+1
|
* doc: mention requirement of additional packages for ipsetJan Engelhardt2010-01-192-0/+8
| | | | | References: https://bugzilla.novell.com/561177 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix limit manpage to reflect actual supported syntaxJan Engelhardt2010-01-191-1/+1
| | | | | References: https://bugzilla.novell.com/561179 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix recent manpage to reflect actual supported syntaxJan Engelhardt2010-01-191-2/+5
| | | | | References: https://bugzilla.novell.com/561180 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* recent: reorder cases in code (cosmetic cleanup)Jan Engelhardt2010-01-191-8/+8
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipq: build as shared libraryJan Engelhardt2009-12-281-2/+2
| | | | | | | | Antique software (see link) built as shared library requires objects compiled with -fPIC, so the standard archive won't do. References: http://bugs.debian.org/527733 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Bump version to v1.4.6v1.4.6Patrick McHardy2009-12-091-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2009-11-245-16/+26
|\
| * doc: name resolution clarificationJan Engelhardt2009-11-182-7/+11
| | | | | | | | | | | | | | Sometimes there are users who wonder about when name resolutions/DNS queries are done, so let's add that for completeness. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: explain experienced --hitcount limitJan Engelhardt2009-11-171-1/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables: take masks into consideration for replace commandJan Engelhardt2009-11-152-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | The two commands: -A OUPUT -d 10.11.12.13/32 -j LOG -R OUTPUT 1 -j LOG -d 10.11.12.13 will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right. (No regression, this problem was there forever.) Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | conntrack: fix --expires parsingPatrick McHardy2009-11-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | Using ranges in --ctexpire results in a parsing error: conntrack: Bad value for "--expires" option: "1:1000" The first value is parsed twice, after which the end pointer doesn't point to the expected '\0' but to the colon. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add osf extensionPatrick McHardy2009-11-122-0/+290
|/ | | | | | From Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
* DNAT: fix incorrect check during parsingPatrick McHardy2009-11-061-1/+1
| | | | | | | | | | Specifying --random before --to-dest results in: Multiple --to-destination not supported Fix the flags check to only test the IPT_DNAT_OPT_DEST bit. Signed-off-by: Patrick McHardy <kaber@trash.net>
* CONNMARK: print mark rules with mask 0xffffffff as set instead of xsetJan Engelhardt2009-11-041-0/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmarkPatrick McHardy2009-11-041-0/+2
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables/extensions: make bundled options work againJan Engelhardt2009-11-0339-107/+107
| | | | | | | | | | | | | When using a bundled option like "-ptcp", 'argv[optind-1]' would logically point to "-ptcp", but this is obviously not right. 'optarg' is needed instead, which if properly offset to "tcp". Not all places change optind-based access to optarg; where look-ahead is needed, such as for tcp's --tcp-flags option for example, optind is ok. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-0365-142/+143
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* style: reduce indent in xtables_check_inverseJan Engelhardt2009-10-291-16/+16
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: fix undersized deletion mask creationJan Engelhardt2009-10-292-12/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | The mask created for the -D rulespec is simply too small. xtables_targets points to whatever target has last been loaded, so xtables_targets->size is quite almost wrong, as we need to use the size of the target for the specific rule that is about to be deleted. This bug existed ever since iptables history is tracked, and requires certain circumstances to be visible, where the deletion operation is one. Furthermore, multiple userspace target extensions must have been loaded, and a target B whose .size is smaller than the target A of the rule we are about to delete must have been loaded more recently than target A. The minimal testcase is (rule 60007 gets wrongly removed) *nat -F -X -A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60007 -A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008 -A POSTROUTING -p udp -j CONNMARK --set-mark 0 -D POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008 COMMIT References: http://bugzilla.netfilter.org/show_bug.cgi?id=606 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: fix wrong maptype of base chain counters on restoreJan Engelhardt2009-10-291-1/+1
| | | | | | | | | | | | | | | When a ruleset that does not reset any chain policies/counters, such as *filter COMMIT is sourced by iptables-restore, the previous policy and counters (i.e. the ones read from the kernel) are reused. The counter skew offsetting is wrong however, causing the read value to be readded to the kernel value. This manifests itself in practice by the counter value almost doubling everytime iptables-restore is called. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: restore --disable-ipv6 functionality on system w/o v6 headersOlaf Rempel2009-10-291-1/+2
| | | | | | | | | Commit 332e4acc (iptables: accept multiple IP address specifications for -s, d) broke the --disable-ipv6 configure option. > ./.libs/libxtables.so: undefined reference to `in6addr_any' Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iprange: warn on reverse range (log)Jan Engelhardt2009-10-290-0/+0
| | | | | | | | | | | Reverse ranges like B-A cause packets to be generally never matched, as an address S does not match >=B && <=A (except for the border case where S=A=B). The kernel module itself does not check for reverse ranges, and it seems nicer to check that in userspace anyway. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iprange: do accept non-ranges for xt_iprange v1 (log)Jan Engelhardt2009-10-250-0/+0
| | | | | | | | | | | | | | | | | Details for commit v1.4.5-11-ga10a12a: "When upgraded to new lenny kernel from 2.6.24 from etch'n'half iprange now does not allow to use single ip-address as its argument: # iptables -A FORWARD -m iprange --src-range 192.168.0.0" References: http://bugs.debian.org/547139 What we have here is that the user is now using iprange v1 from previously v0. Add recognition for single addresses to v1. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iprange: roll address parsing into a loopJan Engelhardt2009-10-251-20/+16
|
* iprange: warn on reverse rangeJan Engelhardt2009-10-251-22/+29
|
* iprange: do accept non-ranges for xt_iprange v1Jan Engelhardt2009-10-251-72/+47
| | | | [fill in details]
* libiptc: avoid strict-aliasing warningsJan Engelhardt2009-10-253-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | In file included from libiptc/libip4tc.c:117:0: libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’: libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libiptc.c: In function ‘iptc_get_target’: libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libip4tc.c: In function ‘dump_entry’: libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break strict-aliasing rules CC libiptc/libip6tc.lo In file included from libiptc/libip6tc.c:112:0: libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’: libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libiptc.c: In function ‘ip6tc_get_target’: libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libip6tc.c: In function ‘dump_entry’: libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break strict-aliasing rules Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: remove unused functionsJan Engelhardt2009-10-251-39/+0
| | | | | | | | | | | | | Fix the two warnings in libiptc.c: CC libiptc/libip4tc.lo libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used CC libiptc/libip6tc.lo libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* realm: remove static initializationsJan Engelhardt2009-10-251-3/+2
| | | | | | Save a little disk space, they are initialized to zero anyway. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>